Forem: Koukyosyumei The latest articles on Forem by Koukyosyumei (@koukyosyumei). https://forem.com/koukyosyumei https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1000734%2Fde0d0e84-91fc-4007-8bd5-3ef371df714f.jpeg Forem: Koukyosyumei https://forem.com/koukyosyumei en Privacy-Preserving Machine Learning with AIJack - 3: Federated Learning with Paillier Encryption on PyTorch Koukyosyumei Fri, 06 Jan 2023 12:02:13 +0000 https://forem.com/koukyosyumei/privacy-preserving-machine-learning-with-aijack-3-federated-learning-with-paillier-encryption-on-pytorch-2jpg https://forem.com/koukyosyumei/privacy-preserving-machine-learning-with-aijack-3-federated-learning-with-paillier-encryption-on-pytorch-2jpg <p>This post is part of our Privacy-Preserving Machine Learning with AIJack series.</p> <p>Part 1: <a href="https://dev.to/koukyosyumei/privacy-preserving-machine-learning-with-aijack-1-federated-learning-on-pytorch-3i5m">Federated Learning</a><br> Part 2: <a href="https://dev.to/koukyosyumei/privacy-preserving-machine-learning-with-aijack-2-model-inversion-attack-against-federated-learning-on-pytorch-2f3">Model Inversion Attack against Federated Learning</a><br> Part 3: Federated Learning with Paillier Encryption<br> Part 4: Federated Learning with Differential Privacy<br> Part 5: Federated Learning with Sparse Gradient<br> Part 6: Poisoning Attack against Federated Learning<br> Part 7: Federated Learning with FoolsGold<br> Part 8: Split Learning<br> Part 9: Label Leakage against Split Learning</p> <h2> Overview </h2> <p>As shown in <a href="https://dev.to/koukyosyumei/privacy-preserving-machine-learning-with-aijack-2-model-inversion-attack-against-federated-learning-on-pytorch-2f3">the previous tutorials</a>, Federated Learning, one of the popular distributed deep learning paradigms, might leak private information via the local gradient that each client sends to the server. To overcome this problem, the client can encrypt the local gradients before uploading. Recall that the server in Federated Learning has to aggregate the gradients from clients. If the server uses a simple average as the aggregation function, the server can execute such aggregation not on the plain gradients but on the gradients encrypted with Homomorphic Encryption. </p> <p>Homomorphic Encryption is one type of encryption scheme where you can execute some arithmetic operations on cipher texts. For example, Paillier Encryption Scheme has the following properties;</p> <p> </p> <div class="katex-element"> <span class="katex-display"><span class="katex"><span class="katex-mathml">D(E(x)+E(y))=x+yD(E(x)+y)=x+yD(E(x)∗y)=x∗y \begin{align} &amp;\mathcal{D}(\mathcal{E}(x) + \mathcal{E}(y)) = x + y \newline &amp;\mathcal{D}(\mathcal{E}(x) + y) = x + y \newline &amp;\mathcal{D}(\mathcal{E}(x) * y) = x * y \end{align} </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mtable"><span class="col-align-r"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="mord"></span></span><span><span class="pstrut"></span><span class="mord"></span></span><span><span class="pstrut"></span><span class="mord"></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span><span class="col-align-l"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="mord"><span class="mord"></span><span class="mord mathcal">D</span><span class="mopen">(</span><span class="mord mathcal">E</span><span class="mopen">(</span><span class="mord mathnormal">x</span><span class="mclose">)</span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span><span class="mord mathcal">E</span><span class="mopen">(</span><span class="mord mathnormal">y</span><span class="mclose">))</span><span class="mspace"></span><span class="mrel">=</span><span class="mspace"></span><span class="mord mathnormal">x</span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span><span class="mord mathnormal">y</span></span></span><span><span class="pstrut"></span><span class="mord"><span class="mord"></span><span class="mord mathcal">D</span><span class="mopen">(</span><span class="mord mathcal">E</span><span class="mopen">(</span><span class="mord mathnormal">x</span><span class="mclose">)</span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span><span class="mord mathnormal">y</span><span class="mclose">)</span><span class="mspace"></span><span class="mrel">=</span><span class="mspace"></span><span class="mord mathnormal">x</span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span><span class="mord mathnormal">y</span></span></span><span><span class="pstrut"></span><span class="mord"><span class="mord"></span><span class="mord mathcal">D</span><span class="mopen">(</span><span class="mord mathcal">E</span><span class="mopen">(</span><span class="mord mathnormal">x</span><span class="mclose">)</span><span class="mspace"></span><span class="mbin">∗</span><span class="mspace"></span><span class="mord mathnormal">y</span><span class="mclose">)</span><span class="mspace"></span><span class="mrel">=</span><span class="mspace"></span><span class="mord mathnormal">x</span><span class="mspace"></span><span class="mbin">∗</span><span class="mspace"></span><span class="mord mathnormal">y</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span></span><span class="tag"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="eqn-num"></span></span><span><span class="pstrut"></span><span class="eqn-num"></span></span><span><span class="pstrut"></span><span class="eqn-num"></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span></span></span> </div> <p>, where <span class="katex-element"> <span class="katex"><span class="katex-mathml">E\mathcal{E} </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mord mathcal">E</span></span></span></span> </span> and <span class="katex-element"> <span class="katex"><span class="katex-mathml">D\mathcal{D} </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mord mathcal">D</span></span></span></span> </span> represent encryption and decryption, respectively.</p> <p>Recall that the server in FedAVG averages the received gradients to update the global model (see <a href="https://dev.to/koukyosyumei/privacy-preserving-machine-learning-with-aijack-1-federated-learning-on-pytorch-3i5m">Part 1</a> for the detail).</p> <div class="katex-element"> <span class="katex-display"><span class="katex"><span class="katex-mathml">wt←wt−1−η∑c=1CncN∇l(wt−1,Xc,Yc) w_{t} \leftarrow w_{t - 1} - \eta \sum_{c=1}^{C} \frac{n_{c}}{N} \nabla \mathcal{l}(w_{t - 1}, X_{c}, Y_{c}) </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mord"><span class="mord mathnormal">w</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">t</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mrel">←</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord"><span class="mord mathnormal">w</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">t</span><span class="mbin mtight">−</span><span class="mord mtight">1</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">−</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord mathnormal">η</span><span class="mspace"></span><span class="mop op-limits"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">c</span><span class="mrel mtight">=</span><span class="mord mtight">1</span></span></span></span><span><span class="pstrut"></span><span><span class="mop op-symbol large-op">∑</span></span></span><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">C</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span><span class="mspace"></span><span class="mord"><span class="mopen nulldelimiter"></span><span class="mfrac"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="mord"><span class="mord mathnormal">N</span></span></span><span><span class="pstrut"></span><span class="frac-line"></span></span><span><span class="pstrut"></span><span class="mord"><span class="mord"><span class="mord mathnormal">n</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">c</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span><span class="mclose nulldelimiter"></span></span><span class="mord">∇</span><span class="mord mathnormal">l</span><span class="mopen">(</span><span class="mord"><span class="mord mathnormal">w</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">t</span><span class="mbin mtight">−</span><span class="mord mtight">1</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mpunct">,</span><span class="mspace"></span><span class="mord"><span class="mord mathnormal">X</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">c</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mpunct">,</span><span class="mspace"></span><span class="mord"><span class="mord mathnormal">Y</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">c</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mclose">)</span></span></span></span></span> </div> <p>To mitigate the private information leakage from the gradient, one option for the client is to encrypt the gradient with Paillier Encryption Scheme.</p> <div class="katex-element"> <span class="katex-display"><span class="katex"><span class="katex-mathml">wt←wt−1−η∑c=1CncNE(∇l(wt−1,Xc,Yc)) w_{t} \leftarrow w_{t - 1} - \eta \sum_{c=1}^{C} \frac{n_{c}}{N} \mathcal{E} (\nabla \mathcal{l}(w_{t - 1}, X_{c}, Y_{c})) </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mord"><span class="mord mathnormal">w</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">t</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mrel">←</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord"><span class="mord mathnormal">w</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">t</span><span class="mbin mtight">−</span><span class="mord mtight">1</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">−</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord mathnormal">η</span><span class="mspace"></span><span class="mop op-limits"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">c</span><span class="mrel mtight">=</span><span class="mord mtight">1</span></span></span></span><span><span class="pstrut"></span><span><span class="mop op-symbol large-op">∑</span></span></span><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">C</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span><span class="mspace"></span><span class="mord"><span class="mopen nulldelimiter"></span><span class="mfrac"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="mord"><span class="mord mathnormal">N</span></span></span><span><span class="pstrut"></span><span class="frac-line"></span></span><span><span class="pstrut"></span><span class="mord"><span class="mord"><span class="mord mathnormal">n</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">c</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span><span class="mclose nulldelimiter"></span></span><span class="mord mathcal">E</span><span class="mopen">(</span><span class="mord">∇</span><span class="mord mathnormal">l</span><span class="mopen">(</span><span class="mord"><span class="mord mathnormal">w</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">t</span><span class="mbin mtight">−</span><span class="mord mtight">1</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mpunct">,</span><span class="mspace"></span><span class="mord"><span class="mord mathnormal">X</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">c</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mpunct">,</span><span class="mspace"></span><span class="mord"><span class="mord mathnormal">Y</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">c</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mclose">))</span></span></span></span></span> </div> <p>The details procedure of Federated Learning with Paillier Encryption is as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. The central server initializes the global model. 2. Clients publish and share private and public keys. 3. The server distributes the global model to each client. 4. Except for the first round, each client decrypts the global model. 5. Each client locally calculates the gradient of the loss function on their dataset. 6. Each client encrypts the gradient and sends it to the server. 7. The server aggregates the received gradients with some method (e.g., average) and updates the global model with the aggregated gradient. 8. Repeat 3 ~ 7 until converge. </code></pre> </div> <h2> Code </h2> <p>We will also use <a href="https://github.com/Koukyosyumei/AIJack" rel="noopener noreferrer">AIJack</a> to implement Federated Learning with Paillier Encryption. All you need is to attach the ability of encryption and decryption to each client via <code>PaillierGradientClientManager</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">aijack.defense</span> <span class="kn">import</span> <span class="n">PaillierGradientClientManager</span><span class="p">,</span> <span class="n">PaillierKeyGenerator</span> <span class="n">keygenerator</span> <span class="o">=</span> <span class="nc">PaillierKeyGenerator</span><span class="p">(</span><span class="mi">64</span><span class="p">)</span> <span class="n">pk</span><span class="p">,</span> <span class="n">sk</span> <span class="o">=</span> <span class="n">keygenerator</span><span class="p">.</span><span class="nf">generate_keypair</span><span class="p">()</span> <span class="n">manager</span> <span class="o">=</span> <span class="nc">PaillierGradientClientManager</span><span class="p">(</span><span class="n">pk</span><span class="p">,</span> <span class="n">sk</span><span class="p">)</span> <span class="n">PaillierGradFedAVGClient</span> <span class="o">=</span> <span class="n">manager</span><span class="p">.</span><span class="nf">attach</span><span class="p">(</span><span class="n">FedAVGClient</span><span class="p">)</span> <span class="n">clients</span> <span class="o">=</span> <span class="p">[</span> <span class="nc">PaillierGradFedAVGClient</span><span class="p">(</span><span class="nc">Net</span><span class="p">().</span><span class="nf">to</span><span class="p">(</span><span class="n">device</span><span class="p">),</span> <span class="n">user_id</span><span class="o">=</span><span class="n">c</span><span class="p">,</span> <span class="n">server_side_update</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="n">client_size</span><span class="p">)</span> <span class="p">]</span> <span class="n">server</span> <span class="o">=</span> <span class="nc">FedAVGServer</span><span class="p">(</span><span class="n">clients</span><span class="p">,</span> <span class="nc">Net</span><span class="p">().</span><span class="nf">to</span><span class="p">(</span><span class="n">device</span><span class="p">),</span> <span class="n">server_side_update</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="c1"># Same code as in Part 1 </span></code></pre> </div> <h2> Summary </h2> <p>In this post, we have learned that clients in Federated Learning can encrypt the gradients with Homomorphic Encryption to prevent privacy violations via gradients. However, this method makes it impossible for the server to check and validate the gradient, which might cause other threats like Poisoning Attack. We will study these risks in the next tutorial.</p> security deeplearning machinelearning python